In this article, we would like to share how we found a bug in OLE32.dll incorrectly handles Integer Overflow and is used to bypass security solutions and fool parsers.
Subscribe to Cyber Resilience Insights today. Get articles like this delivered to your inbox every week.
You can find the timeline of our correspondence below.
#Microsoft word equation editor not active Patch#
Microsoft acknowledged it was unintended behavior, but declined to release a security patch at this time, as the issue on its own does not result in memory corruption or code execution. We reached out to Microsoft when we discovered this issue, following Coordinated Vulnerability Disclosure (CVD) and with a working proof-of-concept (POC). The group was able to exploit this bug to circumvent many security solutions designed to protect data from infestation, including leading sandbox and anti-malware technologies.
Our detection engines spotted an attacker group, which seems to originate from Serbia, using specially-crafted Microsoft Word documents to take advantage of how Microsoft Word handles Integer Overflow errors in the OLE file format. These exploits were chaining what we believed to be an unfixed vulnerability in the Object Linking and Embedding (OLE) file format and the way it’s handled in Microsoft Office Word. In the last few months, the Mimecast Research Labs team has seen several unique variants of Microsoft Office Word exploits, more specifically combining the previously-patched memory corruption issue CVE-2017-11882 (AKA the Equation Editor Exploit), with another issue to amplify the attack and make it go undetected.